Feat/docker

[matheusfillipe]

Summary by CodeRabbit

• New Features

  • Custom UnrealIRCd modules can now be compiled at container startup from mounted C source files
  • WebSocket and RPC services are now configurable via environment variables

• Tests

  • Comprehensive E2E test suite added using Testcontainers framework
  • Integration tests validate server connectivity, account registration, authentication flows, and SASL support

• Documentation

  • Docker deployment guide added covering setup, configuration, module integration, and troubleshooting

• Chores

  • Docker Compose configuration refactored to use external environment variables
  • Updated .gitignore for Python development artifacts

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a comprehensive test infrastructure using Testcontainers and pytest, refactors Docker deployment configuration to support WebSocket/RPC capabilities and custom module compilation, updates account registration module initialization, and includes complete Docker documentation.

Changes

Cohort / File(s)	Summary
Test Configuration .env.test, pyproject.toml, .github/workflows/e2e.yml, .gitignore	Adds test environment variables, pytest project configuration with dependencies, GitHub Actions E2E workflow triggered on push/PR to main, and excludes .venv/ and .pytest_cache/.
Docker Deployment compose.yaml, docker/Dockerfile, docker/docker-entrypoint.sh, docker/unrealircd.conf.template	Refactors Compose to use .env file and SSL-only port mapping; Dockerfile adds sqlite-dev and preserves default config; entrypoint now compiles custom C modules and conditionally configures WebSocket/RPC; template adds TLS paths, WebSocket/RPC injection, operclass default, and loopback IP ban exemption.
Docker Documentation docker/README.md, docker/DOCKER_README.md	Replaces old DOCKER_README.md (deleted) with comprehensive new README covering deployment, environment variables, custom module workflow, first-run initialization, operational procedures, and troubleshooting.
Test Fixtures & Helpers tests/conftest.py, tests/helpers.py	Adds session-scoped pytest fixtures for building test Docker images and provisioning IRC server via Testcontainers; introduces IRCClient class with IRC protocol methods (NICK/USER, SASL PLAIN, account registration, identification).
Integration Tests tests/test_server.py, tests/test_custom_modules.py	Adds test suites validating IRC welcome, capability advertisement (SASL and account-registration), account lifecycle, authentication flows, logout, and custom module compilation/resilience.
Account Registration Module obsidian.h, obsidianirc.c	Removes accreg_configposttest declaration; adds MOD_TEST() entry point to hook accreg_configtest into config validation phase.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Dockernize #7: Overlapping Docker deployment changes in compose.yaml, docker/Dockerfile, docker/docker-entrypoint.sh, and docker/unrealircd.conf.template.
• Move things into one module. (Account reg and SASL) #6: Directly related to account-registration symbols; this PR removes accreg_configposttest declaration and adds MOD_TEST() hook integration.

Poem

🐰 A rabbit hops through Docker lanes,
Building tests with care and pains,
Custom modules compile with glee,
IRC protocols dance merrily!
With fixtures bright and helpers bold,
Test coverage stories now unfold. 🌿

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 2.63% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Feat/docker' is vague and uses generic naming convention without describing the actual changes or their purpose.	Consider a more descriptive title like 'Add Docker E2E testing infrastructure and refactor deployment configuration' to clearly convey the main changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/docker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/docker-entrypoint.sh (1)

178-183: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run UnrealIRCd in the foreground instead of hiding it behind tail.

This branch is supposed to honor ./unrealircd -F, but it starts a background daemon and makes PID 1 a tail process instead. That breaks signal propagation and can leave the container looking alive after the server has already died.

Suggested fix

-if [ "$1" = "./unrealircd" ] && [ "$2" = "-F" ]; then
-    # Start unrealircd and tail the logs to keep container running
-    su-exec unrealircd ./unrealircd start
-    exec su-exec unrealircd tail -f logs/ircd.log
+if [ "${1:-}" = "./unrealircd" ] && [ "${2:-}" = "-F" ]; then
+    exec su-exec unrealircd ./unrealircd -F
 else
     exec su-exec unrealircd "$@"
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/docker-entrypoint.sh` around lines 178 - 183, The current branch in
docker-entrypoint.sh that checks for "./unrealircd" and "-F" starts the daemon
with "su-exec unrealircd ./unrealircd start" and then tails logs, which hides
the real server process and breaks signal propagation; change this branch to
exec the UnrealIRCd binary directly in foreground (i.e., use exec su-exec
unrealircd ./unrealircd -F or otherwise run the server with its foreground flag)
so PID 1 is the real server and signals are forwarded correctly, replacing the
separate "start" + "tail" sequence in that if block.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@compose.yaml`:
- Line 20: The healthcheck currently hardcodes the port in the test array
("test: [\"CMD-SHELL\", \"nc -z localhost 6697\"]"), which will drift if
SSL_PORT is overridden; update the healthcheck to use the SSL_PORT environment
variable (e.g., replace the literal 6697 with ${SSL_PORT}) so the container's
healthcheck reads the same value as SSL_PORT and won't be marked unhealthy when
the port is changed.

In `@docker/docker-entrypoint.sh`:
- Around line 8-10: The current defaulting (export WS_PORT="${WS_PORT:-8080}")
makes WS_PORT always non-empty so WS_CONFIG is generated every start; remove the
hard default and treat WS_PORT (and similarly RPC_PORT/RPC_PASSWORD) as truly
optional by exporting their raw values (no fallback) and update the WS_CONFIG
generation logic to only run when WS_PORT is non-empty (use an explicit -n check
on WS_PORT before creating WS_CONFIG); apply the same change to the other
occurrences around the 41-55 block to ensure the WebSocket listener can be
disabled.

In `@docker/README.md`:
- Around line 116-120: The fenced code block containing the filehosts snippet
(the lines starting with "filehosts {" and the "host
"https://files.example.com";" entry) lacks a language tag; update the opening
fence from ``` to a language-specific tag (for example ```hcl or ```caddyfile)
so the block becomes a fenced code block with a language identifier to satisfy
markdownlint MD040.
- Around line 34-37: The WebSocket quick-start points to ws://localhost:8080
which is unreachable because the Ports/Security section states 8080 is
internal-only; update the quick-start line "WebSocket: `ws://localhost:8080`" to
either (a) show the actual published host port (e.g.
`ws://localhost:<published_port>`) and note that you must publish 8080 in your
docker run or compose, or (b) recommend connecting via a TLS-terminated reverse
proxy using `wss://localhost` if you expose only 443; reference the existing
"WebSocket: `ws://localhost:8080`" string and the "Ports/Security" section when
making the change so readers know why they must publish the port or use a proxy.

In `@obsidianirc.c`:
- Around line 41-46: The config test currently registers accreg_configtest via
MOD_TEST() after calling set_accreg_conf(), but set_accreg_conf() does not reset
the MyConf.got_* duplicate-tracking flags so subsequent config tests can see
stale "got" values; update the initialization path to clear all MyConf.got_*
flags before each config test run—either by adding a routine that explicitly
zeroes MyConf.got_* and calling it at the start of set_accreg_conf() or by
clearing those flags in MOD_TEST() before HookAdd(modinfo->handle,
HOOKTYPE_CONFIGTEST, 0, accreg_configtest) so accreg_configtest always runs with
fresh duplicate-tracking state.

In `@tests/test_server.py`:
- Around line 34-36: CAP LS 302 can be multi-line so reading just the first
matching line (via c.send("CAP LS 302") and line = c.wait_for("CAP", " LS "))
may miss capabilities; change the test to repeatedly call c.wait_for("CAP", " LS
") after c.send("CAP LS 302"), accumulate all returned lines into a single
string or list until the server indicates the end of the CAP LS response (no
continuation), then assert "sasl" (and similarly "draft/account-registration")
is present in the combined response; apply this same accumulation fix to the
other occurrence around lines 42-44.

---

Outside diff comments:
In `@docker/docker-entrypoint.sh`:
- Around line 178-183: The current branch in docker-entrypoint.sh that checks
for "./unrealircd" and "-F" starts the daemon with "su-exec unrealircd
./unrealircd start" and then tails logs, which hides the real server process and
breaks signal propagation; change this branch to exec the UnrealIRCd binary
directly in foreground (i.e., use exec su-exec unrealircd ./unrealircd -F or
otherwise run the server with its foreground flag) so PID 1 is the real server
and signals are forwarded correctly, replacing the separate "start" + "tail"
sequence in that if block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a9cc92f5-ea17-4f5d-a706-c40766762848

📥 Commits

Reviewing files that changed from the base of the PR and between 3d9eb60 and 141d575.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (17)

• .env.test
• .github/workflows/e2e.yml
• .gitignore
• compose.yaml
• docker/DOCKER_README.md
• docker/Dockerfile
• docker/README.md
• docker/docker-entrypoint.sh
• docker/unrealircd.conf.template
• obsidian.h
• obsidianirc.c
• pyproject.toml
• tests/__init__.py
• tests/conftest.py
• tests/helpers.py
• tests/test_custom_modules.py
• tests/test_server.py

💤 Files with no reviewable changes (2)

• obsidian.h
• docker/DOCKER_README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use SSL_PORT in healthcheck to avoid config drift.

Line 20 hardcodes 6697; if SSL_PORT is overridden through .env, the service can be healthy but marked unhealthy.

Proposed fix

-      test: ["CMD-SHELL", "nc -z localhost 6697"]
+      test: ["CMD-SHELL", "nc -z localhost $${SSL_PORT:-6697}"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	test: ["CMD-SHELL", "nc -z localhost 6697"]
	test: ["CMD-SHELL", "nc -z localhost $${SSL_PORT:-6697}"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@compose.yaml` at line 20, The healthcheck currently hardcodes the port in the
test array ("test: [\"CMD-SHELL\", \"nc -z localhost 6697\"]"), which will drift
if SSL_PORT is overridden; update the healthcheck to use the SSL_PORT
environment variable (e.g., replace the literal 6697 with ${SSL_PORT}) so the
container's healthcheck reads the same value as SSL_PORT and won't be marked
unhealthy when the port is changed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

WS_PORT is not actually optional with the current defaulting.

"${WS_PORT:-8080}" is always non-empty, so WS_CONFIG is generated on every start. That makes the "only if WS_PORT is set" contract impossible to honor and removes any way to disable the WebSocket listener.

Suggested fix

-export WS_PORT="${WS_PORT:-8080}"
+export WS_PORT="${WS_PORT-}"
...
-if [ -n "$WS_PORT" ]; then
+if [ -n "${WS_PORT:-}" ]; then

Also applies to: 41-55

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/docker-entrypoint.sh` around lines 8 - 10, The current defaulting
(export WS_PORT="${WS_PORT:-8080}") makes WS_PORT always non-empty so WS_CONFIG
is generated every start; remove the hard default and treat WS_PORT (and
similarly RPC_PORT/RPC_PASSWORD) as truly optional by exporting their raw values
(no fallback) and update the WS_CONFIG generation logic to only run when WS_PORT
is non-empty (use an explicit -n check on WS_PORT before creating WS_CONFIG);
apply the same change to the other occurrences around the 41-55 block to ensure
the WebSocket listener can be disabled.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the WebSocket quick-start example.

This section tells users to connect to ws://localhost:8080, but the later Ports/Security sections say 8080 is internal-only and not published by default. As written, the first-run instructions point at an unreachable endpoint.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/README.md` around lines 34 - 37, The WebSocket quick-start points to
ws://localhost:8080 which is unreachable because the Ports/Security section
states 8080 is internal-only; update the quick-start line "WebSocket:
`ws://localhost:8080`" to either (a) show the actual published host port (e.g.
`ws://localhost:<published_port>`) and note that you must publish 8080 in your
docker run or compose, or (b) recommend connecting via a TLS-terminated reverse
proxy using `wss://localhost` if you expose only 443; reference the existing
"WebSocket: `ws://localhost:8080`" string and the "Ports/Security" section when
making the change so readers know why they must publish the port or use a proxy.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language tag to this fenced block.

This snippet is missing a fence language, so markdownlint will keep flagging MD040 here.

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 116-116: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/README.md` around lines 116 - 120, The fenced code block containing
the filehosts snippet (the lines starting with "filehosts {" and the "host
"https://files.example.com";" entry) lacks a language tag; update the opening
fence from ``` to a language-specific tag (for example ```hcl or ```caddyfile)
so the block becomes a fenced code block with a language identifier to satisfy
markdownlint MD040.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reset MyConf.got_* tracking before each config test run.

Line 44 enables accreg_configtest, but Line 43 only calls set_accreg_conf() which currently does not clear duplicate-tracking flags. After one config test pass, later config tests can falsely report duplicates for valid directives.

Proposed fix

 void set_accreg_conf(void)
 {
+    safe_free(MyConf.guest_nick_format);
+    memset(&MyConf, 0, sizeof(MyConf));
+
     MyConf.min_name_length = 3;
     MyConf.max_name_length = 50;
     MyConf.min_password_length = 8;
     MyConf.max_password_length = 200;
     MyConf.require_email = 1;
     MyConf.require_terms_acceptance = 1;
     MyConf.allow_username_changes = 1;
     MyConf.allow_password_changes = 1;
     MyConf.allow_email_changes = 1;
     safe_strdup(MyConf.guest_nick_format, "Guest$d$d$d$d");
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@obsidianirc.c` around lines 41 - 46, The config test currently registers
accreg_configtest via MOD_TEST() after calling set_accreg_conf(), but
set_accreg_conf() does not reset the MyConf.got_* duplicate-tracking flags so
subsequent config tests can see stale "got" values; update the initialization
path to clear all MyConf.got_* flags before each config test run—either by
adding a routine that explicitly zeroes MyConf.got_* and calling it at the start
of set_accreg_conf() or by clearing those flags in MOD_TEST() before
HookAdd(modinfo->handle, HOOKTYPE_CONFIGTEST, 0, accreg_configtest) so
accreg_configtest always runs with fresh duplicate-tracking state.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Collect the full CAP LS response before asserting capabilities.

CAP LS 302 can span multiple lines. These tests only inspect the first matching CAP LS line, so they will start failing once sasl or draft/account-registration moves to a continuation line.

Also applies to: 42-44

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_server.py` around lines 34 - 36, CAP LS 302 can be multi-line so
reading just the first matching line (via c.send("CAP LS 302") and line =
c.wait_for("CAP", " LS ")) may miss capabilities; change the test to repeatedly
call c.wait_for("CAP", " LS ") after c.send("CAP LS 302"), accumulate all
returned lines into a single string or list until the server indicates the end
of the CAP LS response (no continuation), then assert "sasl" (and similarly
"draft/account-registration") is present in the combined response; apply this
same accumulation fix to the other occurrence around lines 42-44.